Cybersecurity specialists reported the finding of seven vulnerabilities in various Qualcomm chips. According to the report, exploiting these flaws would allow the deployment of various malicious scenarios, such as out-of-bounds reading, among others.
Below are brief descriptions of reported vulnerabilities, in addition to their respective scores and tracking keys according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-3700: A boundary condition in WIN WLAN Host allows remote threat actors to access sensitive information on the target system triggered an out-of-bounds read error. This is an average severity failure that received a score of 6.5/10 on the CVSS scale.
CVE-2019-10580: A use-after-free flaw in HLOS allows malicious hackers to gain elevated privileges on the target system, compromising the vulnerable system.
This is a low severity vulnerability and received a 7/10 score on the CVSS scale.
CVE-2020-3701: That flaw exists due to a use-after-free error in Qualcomm’s camera driver. Remote hackers could gain elevated privileges on the target system, completely exposing the vulnerable system. This is a high severity failure, so he was assigned a score of 8.5/10.
CVE-2020-3688: A boundary condition in mp4 file analysis allows threat actors to access sensitive information on the target system triggered memory vulnerabilities.
The flaw received a score of 6.5/10, so it is considered an average severity error.
CVE-2020-3671: This vulnerability exists due to a use-after-free error that allows remote hackers to compromise an affected system by obtaining elevated privileges on the system. This is a critical flaw that received a score of 8.5/10 on the CVSS scale.
CVE-2020-3698: A limit error processing unreliable entries on the WLAN host allows remote hackers to compromise the target system by executing arbitrary code. This vulnerability received a score of 8.5/10, so it is considered a critical flaw.
CVE-2020-3699: A limit error in WLAN HOST could be exploited to run remote code on the target system. Threat actors can cause serious damage to system memory, as well as execute arbitrary code. The flaw received a score of 8.5/10, so it is considered a critical error.
Although the flaws can be exploited by unauthenticated remote hackers, researchers have found no evidence of attacks in real-world scenarios or some malware associated with the attack.
The faults have already been fixed, so users are advised to verify the security of their deployments. The full list of affected products can be found on Qualcomm’s official platforms.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.